T-Mobile, Secret Service agent get hacked

A hacker broke into T-Mobile's customer database, gaining access to …

A man has been arrested for illegally accessing the servers of T-Mobile, gaining access to the personal data of over 16 million of the company's customers. At least one of those affected worked for the US Secret Service, and as a result, highly-sensitive e-mails and other documents belonging to the Secret Service were compromised. The accused, Nicolas Jacobsen, also attempted to sell customers' identifying information such as birth date and Social Security numbers to identity thieves.

The arrest came as part of Operation Firewall, a Secret Service effort to infiltrate networks of identity thieves. There were 19 arrests made last fall in connection with the investigation. Details of the case have been kept quiet by the Secret Service, in contrast to others in Operation Firewall. While the motivation could be embarrassment on the part of the Secret Service, Security Focus is reporting that the defendant has been offered a lenient plea bargain if he will trade his black hat in for a white one.

There are a couple of troubling aspects related to this case. First is that the defendant was able to access highly-confidential Secret Service material in the course of his illegal activities. One of the documents was a part of a sensitive mutual legal assistance treaty with Russia, and others included parts of internal communications. All of those were access by discovering the username and password of a Sidekick-toting Secret Service agent.

Should Secret Service agents be sending top secret information over their Sidekicks? It's an issue that individuals and companies have to wrestle with as Sidekicks, BlackBerrys, and Treos become more popular. It's incredibly convenient to be able to access e-mail from anywhere you can get a cellular signal. However, as this case demonstrates, that information is not as secure as you think it might be.

Celebrity Sidekick users were also targeted, although apparently for amusement rather than fraud. Jacobsen was able to download candid photos from the accounts of Paris Hilton (no video), Ashton Kucher, and Demi Moore, which were shared with others. While apparently innocuous, T-Mobile may have violated California law by not notifying their customers of the breach. The mobile communications company was made aware of the break-in some time last summer, but did not notify affected California residents of the breach. A 2003 law passed in that states requires companies and state agencies to "promptly" notify customers and other individuals when their personal data may have been compromised, with the exception of when notification could compromise a criminal investigation. T-Mobile has not yet commented on the case.